Secure Nutanix with cnspec
Scan Nutanix Prism Central environments against security and compliance best practices with cnspec.
Scan your Nutanix environment through Prism Central to find security risks before they become incidents. cnspec evaluates clusters, hypervisor hosts, virtual machines, storage containers, networks, and IAM users, groups, and roles. It needs no agents installed on your infrastructure.
Prerequisites
To scan Nutanix with cnspec, you must have:
- cnspec installed on your workstation
- A Nutanix Prism Central instance
- Credentials to authenticate (either a username and password or an IAM API key)
- Network access from your workstation to the Prism Central API (port 9440 by default)
Authenticate
cnspec connects to Prism Central and supports two authentication methods.
Basic authentication
Use a Prism Central username with a password. Use an account that has at least read-only permissions on the resources you want to scan. To avoid putting the password on the command line, use --ask-pass and cnspec prompts you for it.
IAM API key
Use an IAM API key for service-account authentication by passing --api-key.
Connection flags
| Flag | Description |
|---|---|
--endpoint | Prism Central host: IP address or FQDN (required) |
--port | Prism Central API port (default 9440) |
--user | Username for basic authentication |
--password, -p | Password for basic authentication |
--ask-pass | Prompt for the connection password |
--api-key | IAM API key for service-account authentication |
--insecure, -k | Skip TLS certificate verification |
If your Prism Central instance uses a self-signed certificate, add --insecure (or -k) to skip TLS verification.
Verify with a quick Nutanix check
Confirm that cnspec can reach your Nutanix environment:
cnspec run nutanix \
--endpoint pc.example.com \
--user admin \
--ask-pass \
-c 'nutanix.clusters != empty'Scan Nutanix
Scan your Nutanix environment with basic authentication:
cnspec scan nutanix \
--endpoint pc.example.com \
--user admin \
--ask-passOr authenticate with an IAM API key:
cnspec scan nutanix \
--endpoint pc.example.com \
--api-key API_KEYApply your own policies
You can write your own policies to check your Nutanix environment against your specific security and compliance requirements, then pass the bundle to cnspec:
cnspec scan nutanix \
--endpoint pc.example.com \
--api-key API_KEY \
--policy-bundle my-nutanix-policy.mql.yamlMondoo Platform users: Browse the policies available for your environment in the Mondoo App under Findings > Policies. Any policies you enable in your space automatically evaluate on future scans. To learn more, read Manage Policies.
Explore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell nutanix \
--endpoint pc.example.com \
--api-key API_KEYCluster overview
cnspec> nutanix.clusters { name version nodeCount vmCount redundancyFactor isAvailable }Inspect cluster security settings
cnspec> nutanix.clusters {
name
isRemoteSupportEnabled
isPasswordRemoteLoginEnabled
encryptionInTransitStatus
}List hypervisor hosts with hardware information
cnspec> nutanix.hosts { name hypervisorType hypervisorFullName cpuModel cpuCores memorySizeBytes }List virtual machines
cnspec> nutanix.vms { name powerState memorySizeBytes numSockets numCoresPerSocket }Find powered-on VMs without guest tools
cnspec> nutanix.vms.where(powerState == "ON") { name guestTools }Audit storage container encryption
cnspec> nutanix.storageContainers { name isEncrypted isCompressionEnabled replicationFactor }Review networks and NAT configuration
cnspec> nutanix.subnets { name subnetType isExternal isNatEnabled ipPrefix }Audit IAM users
cnspec> nutanix.users { username displayName userType status lastLoginTime }Inspect roles and their assignments
cnspec> nutanix.roles { displayName isSystemDefined assignedUsersCount assignedUserGroupsCount }Learn more
- Nutanix Resource Pack Reference — every Nutanix resource and field cnspec can query
- Write Effective MQL — guide to authoring checks and queries